8 files changed, 38 insertions, 7 deletions

diff --git a/.cypress/cypress/integration/category_tests.js b/.cypress/cypress/integration/category_tests.js
index 8bd21acaa..e9cf6b0d1 100644
--- a/.cypress/cypress/integration/category_tests.js
+++ b/.cypress/cypress/integration/category_tests.js
@@ -35,7 +35,7 @@ describe('Basic categories', function() {
         cy.server();
         cy.route('/report/new/ajax*').as('report-ajax');
         cy.url().should('include', '/around');
-        cy.get('#map_box').click(210, 200);
+        cy.get('#map_box').click(240, 249);
         cy.wait('@report-ajax');
         cy.get('[name=category]').should('not.be.visible');
         cy.get('select:eq(3) option').each(function (obj, i) {
@@ -51,7 +51,7 @@ describe('Basic categories', function() {
     it('category dropdown contains works from new page', function() {
         cy.server();
         cy.route('/report/new/ajax*').as('report-ajax');
-        cy.visit('/report/new?latitude=51.496194&longitude=-2.603482');
+        cy.visit('/report/new?latitude=51.496194&longitude=-2.603439');
         cy.get('[name=category]').should('not.be.visible');
         cy.get('select:eq(1) option').each(function (obj, i) {
             expect(obj[0].value).to.equal(categories[i]);
diff --git a/.cypress/cypress/integration/highways.js b/.cypress/cypress/integration/highways.js
index 8494259c8..72438b820 100644
--- a/.cypress/cypress/integration/highways.js
+++ b/.cypress/cypress/integration/highways.js
@@ -9,7 +9,7 @@ describe('Highways England tests', function() {
         cy.get('[name=pc]').type(Cypress.env('postcode'));
         cy.get('[name=pc]').parents('form').submit();
         cy.url().should('include', '/around');
-        cy.get('#map_box').click(210, 200);
+        cy.get('#map_box').click(240, 249);
         cy.wait('@report-ajax');
         cy.wait('@highways-tilma');
         cy.get('#highways').should('contain', 'M6');
diff --git a/.cypress/cypress/integration/regressions.js b/.cypress/cypress/integration/regressions.js
index 00e92f5ad..547fc469b 100644
--- a/.cypress/cypress/integration/regressions.js
+++ b/.cypress/cypress/integration/regressions.js
@@ -25,4 +25,21 @@ describe('Regression tests', function() {
         cy.get('#loading-indicator').should('be.hidden');
         cy.get('#map_box image').should('be.visible');
     });
+    it('Does not escape HTML entities in the title', function() {
+        cy.server();
+        cy.route('/around\?ajax*').as('update-results');
+        cy.request({
+          method: 'POST',
+          url: '/auth?r=/',
+          form: true,
+          body: { username: 'cs@example.org', password_sign_in: 'password' }
+        });
+        cy.visit('/report/1/moderate');
+        cy.get('[name=problem_title]').clear().type('M&S "brill" says <glob>').parents('form').submit();
+        cy.title().should('contain', 'M&S "brill" says <glob>');
+        cy.contains('Problems nearby').click();
+        cy.wait('@update-results');
+        cy.get('#map_sidebar').contains('M&S').click();
+        cy.title().should('contain', 'M&S "brill" says <glob>');
+    });
 });
diff --git a/.cypress/cypress/integration/staff.js b/.cypress/cypress/integration/staff.js
index 88afb5490..ab1de0749 100644
--- a/.cypress/cypress/integration/staff.js
+++ b/.cypress/cypress/integration/staff.js
@@ -17,7 +17,7 @@ describe('Staff user tests', function() {
         cy.get('[name=pc]').type(Cypress.env('postcode'));
         cy.get('[name=pc]').parents('form').submit();
         cy.url().should('include', '/around');
-        cy.get('#map_box').click(210, 200);
+        cy.get('#map_box').click(240, 249);
         cy.get('[name=form_as]').should('have.value', 'body');
         cy.cleanUpXHR();
     });
@@ -36,7 +36,7 @@ describe('Staff user tests', function() {
         cy.get('[name=pc]').type(Cypress.env('postcode'));
         cy.get('[name=pc]').parents('form').submit();
         cy.url().should('include', '/around');
-        cy.get('#map_box').click(210, 200);
+        cy.get('#map_box').click(240, 249);
         cy.wait('@report-ajax');
         cy.get('select:eq(3)').select('Graffiti');
         cy.get('[name=title]').should('have.value', 'A Graffiti problem has been found');
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4fb18ccfb..825a9d353 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@
         - Keep all moderation history, and show in report/update admin. #2329
     - Bugfixes:
         - Restore map zoom out when navigating to /around from /report. #1649
+        - Don’t escape HTML entities in report titles pulled in by ajax. #2346
     - Open311 improvements:
         - Fix bug in contact group handling. #2323
         - Improve validation of fetched reports timestamps. #2327
diff --git a/bin/browser-tests b/bin/browser-tests
index 2d4ee09ac..c663e56af 100755
--- a/bin/browser-tests
+++ b/bin/browser-tests
@@ -98,6 +98,7 @@ sub run {
         my $c = Test::MockModule->new('FixMyStreet::Cobrand::FixMyStreet');
         $c->mock('enable_category_groups', sub { 1 });
         # Child, run the server on port 3001
+        FixMyStreet->test_mode(1); # So email doesn't try to send
         local $ENV{FIXMYSTREET_APP_DEBUG} = 0;
         require Plack::Runner;
         my $runner = Plack::Runner->new;
diff --git a/t/Mock/MapIt.pm b/t/Mock/MapIt.pm
index f3f9f89b2..2778df1ed 100644
--- a/t/Mock/MapIt.pm
+++ b/t/Mock/MapIt.pm
@@ -26,7 +26,7 @@ my @PLACES = (
     [ '?', 53.387402, -2.943997, 2527, 'Liverpool City Council', 'MTD' ],
     [ 'EH1 1BB', 55.952055, -3.189579, 2651, 'Edinburgh City Council', 'UTA', 20728, 'City Centre', 'UTE' ],
     [ 'BS10 5EE', 51.494885, -2.602237, 2561, 'Bristol City Council', 'UTA', 148646, 'Bedminster', 'UTW' ],
-    [ 'BS20 5EE', 51.496194, -2.603482, 2608, 'Borsetshire County Council', 'CTY', 148646, 'Bedminster', 'UTW' ],
+    [ 'BS20 5EE', 51.496194, -2.603439, 2608, 'Borsetshire County Council', 'CTY', 148646, 'Bedminster', 'UTW' ],
     [ 'SL9 0NX', 51.615559, -0.556903, 2217, 'Buckinghamshire County Council', 'CTY', 2257, 'Chiltern District Council', 'DIS' ],
     [ 'SW1A 1AA', 51.501009, -0.141588, 2504, 'Westminster City Council', 'LBO' ],
     [ 'GL50 2PR', 51.896268, -2.093063, 2226, 'Gloucestershire County Council', 'CTY', 2326, 'Cheltenham Borough Council', 'DIS', 4544, 'Lansdown', 'DIW', 143641, 'Lansdown and Park', 'CED' ],
diff --git a/web/cobrands/fixmystreet/fixmystreet.js b/web/cobrands/fixmystreet/fixmystreet.js
index 98e538933..100eec15d 100644
--- a/web/cobrands/fixmystreet/fixmystreet.js
+++ b/web/cobrands/fixmystreet/fixmystreet.js
@@ -1354,7 +1354,19 @@ fixmystreet.display = {
             }
 
             var found = html.match(/<title>([\s\S]*?)<\/title>/);
-            var page_title = found[1];
+            // Unencode HTML entities so it's suitable for document.title. We
+            // only care about the ones encoded by the template's html_filter.
+            var map = {
+                '&amp;': '&',
+                '&gt;': '>',
+                '&lt;': '<',
+                '&quot;': '"',
+                '&#39;': "'"
+            };
+            var page_title = found[1].replace(/&(amp|lt|gt|quot|#39);/g, function(m) {
+                return map[m];
+            });
+
             fixmystreet.page = 'report';
 
             $('.big-hide-pins-link').hide();